[Samba] Linux machine to join Samba Domain

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 3 10:45:05 MDT 2014 

On 03/04/14 17:22, vikas wrote:
>
> On Wednesday 02 April 2014 10:32 PM, Rowland Penny wrote:
>> On 02/04/14 17:11, vikas wrote:
>>> okay installed latest sssd and created sssd.conf file now where to 
>>> go? how do i auth using Domain user? Or is there any thing more to 
>>> do ? How do i verify things are now working(getent group shows only 
>>> local info) ?
>>>
>>> sssd.conf
>>> [domain/IK.LOCAL]
>>>
>>> autofs_provider = ldap
>>> cache_credentials = False
>>> debug_level = 6
>>> krb5_realm = IK.LOCAL
>>> ldap_search_base = ou=users,dc=ik,dc=local
>>> id_provider = ldap
>>> auth_provider = ldap
>>> min_id = 10
>>> max_id = 99999
>>> chpass_provider = ldap
>>> ldap_schema = rfc2307
>>> ldap_uri = ldap://192.168.10.16/
>>> ldap_id_use_start_tls = False
>>> ldap_tls_reqcert = never
>>> #ldap_tls_cacertdir = /etc/openldap/cacerts
>>> ldap_group_search_base = ou=group,dc=ik,dc=local
>>> ldap_user_name=uid
>>> [sssd]
>>> services = nss, pam, autofs
>>> config_file_version = 2
>>>
>>> domains = IK.LOCAl
>>> [nss]
>>>
>>> [pam]
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> [pac]
>>>
>>>
>>> add entry to hosts and resolv.conf
>>>
>>> On Wednesday 02 April 2014 05:58 PM, Rowland Penny wrote:
>>>> On 02/04/14 13:20, vikas wrote:
>>>>> Hi
>>>>> thanks for reply,
>>>>>
>>>>> i need to start from scratch can some one tell/help with sssd.
>>>>>
>>>>> question after reading 
>>>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>>>>> what should i do to start ? Do i have to install sssd on server ?
>>>>>
>>>>> i tried to compile latest version on client ubuntu 12.04 64bit but 
>>>>> it was asking that you do not have any openldap server so i though 
>>>>> i should go with apt-get install samba-common-bin sssd sssd-tools 
>>>>> autofs krb5-user ?
>>>>>
>>>>>
>>>> If you need the latest (well not quite the latest) sssd for 12.04, 
>>>> see here:
>>>>
>>>> https://launchpad.net/~sssd/+archive/updates
>>>>
>>>> Rowland
>>>>> Samba compile and domain option used:
>>>>> ./configure --enable-debug --enable-selftest
>>>>> $/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 
>>>>> --interactive
>>>>>
>>>>> smb.conf *short version *
>>>>> [global]
>>>>>         workgroup = IK
>>>>>         realm = IK.LOCAL
>>>>>         netbios name = DC
>>>>>         server role = active directory domain controller
>>>>>         dns forwarder = 192.168.1.1
>>>>>         idmap_ldb:use rfc2307 = yes
>>>>>         log file = /var/log/samba/log.%I
>>>>>         log level = 0
>>>>>         printing = bsd
>>>>>         printcap name = /dev/null
>>>>>         syslog = 0
>>>>> #       include = /usr/local/samba/etc/smb.conf.client-%I
>>>>>
>>>>> smb.conf *long version*
>>>>> http://pastebin.com/P0V8BxAF
>>>>>
>>>>>
>>>>> PS: i just tried likewise which worked great but it was not what i 
>>>>> want. Just thinking that if likewise can work, without modifying 
>>>>> any thing on server how do i start with other tool(sssd,nslcd etc)
>>>>>
>>>>>     On Saturday 29 March 2014 06:33 PM, steve wrote:
>>>>>> On Sat, 2014-03-29 at 17:50 +0530, vikas wrote:
>>>>>>> On Tuesday 18 March 2014 08:32 PM, Sven Schwedas wrote:
>>>>>>>> On 2014-03-18 15:48, vikas wrote:
>>>>>>>>> hi.. all...
>>>>>>>>>
>>>>>>>>> can some one help me understanding how to add linux (mostly 
>>>>>>>>> ubuntu,suse
>>>>>>>>> etc)
>>>>>>>>>
>>>>>>>>> what exactly i am looking for is what one should do on linux 
>>>>>>>>> machine
>>>>>>>>> like editing /etc/nssswitch.conf, pam related file etc..but i 
>>>>>>>>> dont find
>>>>>>>>> any standard way where one can add any linux machine to samba 
>>>>>>>>> domain
>>>>>>>> Because there isn't any. :-)
>>>>>>>>
>>>>>>>>> my goal is to just get authenticate through Samba
>>>>>>>> There's several ways for that...
>>>>>>>>
>>>>>>>>    . Use winbindd. This is probably the most direct equivalent 
>>>>>>>> to Windows'
>>>>>>>> "domain join". It's also crap and only has very limited 
>>>>>>>> features right
>>>>>>>> now (Shell, home etc. aren't read from AD, but statically 
>>>>>>>> configured).
>>>>>>>>
>>>>>>>>    . Use pam_ldap, and nss_ldap, and pam_ccreds, and probably 
>>>>>>>> half a dozen
>>>>>>>> other ill-documented tidbits and not-quite-sufficient software 
>>>>>>>> bits and
>>>>>>>> stitch together a working environment. It's as flexible as it's 
>>>>>>>> error
>>>>>>>> prone, but should work with all corner cases and distributions. 
>>>>>>>> Eventually.
>>>>>>>>
>>>>>>>>    . Use sssd. It's made by RedHat and should be the default 
>>>>>>>> for CentOS,
>>>>>>>> and works sufficiently well with Samba. Needs a bit more 
>>>>>>>> client-side
>>>>>>>> configuration than winbind iirc, but actually uses the provided AD
>>>>>>>> information like shell and home dir.
>>>>>>>>
>>>>>>>>
>>>>>>>>> Windows machine are successful getting connected to samba with 
>>>>>>>>> all
>>>>>>>>> policy working like USB disable through regedit, disable 
>>>>>>>>> drives etc.
>>>>>>>> All of these provide authentication only, though. There's no 
>>>>>>>> policy
>>>>>>>> support, you'd need to use some other sync/deployment method 
>>>>>>>> for PolKit
>>>>>>>> et. al. (and can't configure them via AD, as far as I know).
>>>>>>>>
>>>>>>>>
>>>>>>> Hi..all
>>>>>>> i am trying to authenticate linux machine to samba4 for which i am
>>>>>>> trying very hard to do using below mention links
>>>>>>> http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html 
>>>>>>>
>>>>>>> http://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/ 
>>>>>>>
>>>>>>>
>>>>>>> using linuxcosta link i was somewhat near to success(joined 
>>>>>>> domain ) but
>>>>>>> not able to login using domain user the only error it was 
>>>>>>> showing was
>>>>>>> could not contact to ldap server (on local machine) . On server 
>>>>>>> there
>>>>>>> was no error activity.
>>>>>> OK, you you've joined the domain but can't authenticate? Please 
>>>>>> post:
>>>>>> -smb.conf
>>>>>> -/etc/krb5.conf
>>>>>> -the output of:
>>>>>> klist -ke /etc/krb5.keytab
>>>>>> -/etc/nslcd.conf
>>>>>> -/etc/nsswitch.conf
>>>>>>
>>>>>> And we'll get you authenticated.
>>>>>> Cheers,
>>>>>> Steve
>>>>>
>>>>>
>>>>>
>>>>>> On Saturday 29 March 2014 06:48 PM, Rowland Penny wrote:
>>>>>> Just what did you do? and what are you confused about?
>>>>>>  From what you have posted, I think that you want to authenticate 
>>>>>> ubuntu
>>>>>> & suse clients to a Centos samba4 AD server. This should not be a
>>>>>> problem if you follow the instructions on Steves blog :
>>>>>> http://linuxcostablanca.blogspot.com.es
>>>>>>
>>>>>> Just try coming forward in time a bit on his blog, sometime in April
>>>>>> 2013, I think.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>> OK, I am sure that you posted that the client is joined to a Samba4 
>> AD domain, if so this is my sssd.conf from my laptop, I have 
>> sanitized it, replace example.com with your realm (respecting case) 
>> and CLIENT$ with the hostname of your client.
>>
>> [sssd]
>> config_file_version = 2
>> domains = example.com
>> services = nss, pam
>>
>> [nss]
>>
>> [pam]
>>
>> [domain/example.com]
>> cache_credentials = true
>> enumerate = true
>> #enumerate = false
>> id_provider = ldap
>> auth_provider = krb5
>> chpass_provider = krb5
>> access_provider = ldap
>>
>> krb5_server = DC.example.com
>> krb5_kpasswd = DC.example.com
>> krb5_realm = example.com
>>
>> ldap_referrals = false
>>
>> ldap_schema = rfc2307bis
>> ldap_access_order = expire
>> ldap_account_expire_policy = ad
>> ldap_force_upper_case_realm = true
>>
>> ldap_user_object_class = user
>> ldap_user_name = sAMAccountName
>> ldap_user_fullname = displayName
>> ldap_user_home_directory = unixHomeDirectory
>> ldap_user_principal = userPrincipalName
>>
>> ldap_group_object_class = group
>> ldap_group_name = sAMAccountName
>>
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = CLIENT$@example.com
>> ldap_krb5_init_creds = true
>>
>> This relies on the users & groups having uidNumber's & gidNumber's in 
>> AD, get this working, then add the autofs parts.
>>
>> Rowland
>
> I think I misrepresented myself. I am just trying my steps this time 
> very carefully. Things i have done are below.
> *******At client*********
> 1.installed sssd latest
> 2.edited sssd.conf file (now edited with your file reference)
> 3.not added machine to domain

OK, first go and read this:
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server

This will work with a samba4 AD server

>
> what I have to do now?
> 1 should i use net ads join method and then try sssd
> 2.what is uid number & gid number of use, okay i have seen (in server 
> log) that, do i have to map uid&gid in server smb.conf file(correct me 
> here)

You can use sssd without uidNumber's & gidNumber's in AD, but it is 
better to use them, along with the rest of the RFC2307 attributes, but 
you will need to add them yourself to each user & group. If you do not 
want to add them, read the manpages for sssd.

Rowland
>
>
> *******At server*********
> 1.is there any thing to do related to uid n gid or any thing on server 
> ? if yes what ?
> 2. do i have to generate krb,*.keytab,etc file ?
>
> thanks
>

More information about the samba mailing list